# NIST SP 800-171 Revision 2 in Security Hub CSPM
NIST Special Publication 800-171 Revision 2 (NIST SP 800-171 Rev. 2) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides recommended security requirements for protecting the confidentiality of Controlled Unclassified Information in systems and organizations that aren't part of the U.S. federal government. *Controlled Unclassified Information*, also referred to as *CUI*, is sensitive information that doesn't meet government criteria for classification but must be protected. It's information that is considered sensitive and is created or possessed by the U.S. federal government or other entities on behalf of the U.S. federal government.
NIST SP 800-171 Rev. 2 provides recommended security requirements for protecting the confidentiality of CUI when:
+ The information resides in non-federal systems and organizations,
+ The non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and
+ There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.
The requirements apply to all components of non-federal systems and organizations that process, store, or transmit CUI, or provide security protection for the components. For more information, see [NIST SP 800-171 Rev. 2](https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final) in the *NIST Computer Security Resource Center*.
AWS Security Hub CSPM provides security controls that support a subset of NIST SP 800-171 Revision 2 requirements. The controls perform automated security checks for certain AWS services and resources. To enable and manage these controls, you can enable the NIST SP 800-171 Revision 2 framework as a standard in Security Hub CSPM. Note that the controls don't support NIST SP 800-171 Revision 2 requirements that require manual checks.
**Topics**
+ [Configuring resource recording for the standard](#standards-reference-nist-800-171-recording)
+ [Determining which controls apply to the standard](#standards-reference-nist-800-171-controls)
## Configuring resource recording for controls that apply to the standard
To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in AWS Config before you enable the NIST SP 800-171 Revision 2 standard in AWS Security Hub CSPM. When you configure resource recording, also be sure to enable it for all the types of AWS resources that are checked by controls that apply to the standard. Otherwise, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard.
For information about how Security Hub CSPM uses resource recording in AWS Config, see [Enabling and configuring AWS Config for Security Hub CSPM](securityhub-setup-prereqs.md). For information about configuring resource recording in AWS Config, see [Working with the configuration recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the *AWS Config Developer Guide*.
The following table specifies the types of resources to record for controls that apply to the NIST SP 800-171 Revision 2 standard in Security Hub CSPM.
| AWS service | Resource types |
| --- | --- |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| Amazon API Gateway | `AWS::ApiGateway::Stage` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| AWS Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| AWS Systems Manager (SSM) | `AWS::SSM::PatchCompliance` |
| AWS WAF | `AWS::WAFv2::RuleGroup` |
## Determining which controls apply to the standard
The following list specifies the controls that support NIST SP 800-171 Revision 2 requirements and apply to the NIST SP 800-171 Revision 2 standard in AWS Security Hub CSPM. For details about specific requirements that a control supports, choose the control. Then refer to the **Related requirements** field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement.
+ [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1)
+ [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2)
+ [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7)
+ [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10)
+ [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2)
+ [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3)
+ [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4)
+ [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1)
+ [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2)
+ [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4)
+ [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5)
+ [[CloudWatch.6] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6)
+ [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7)
+ [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8)
+ [[CloudWatch.9] Ensure a log metric filter and alarm exist for AWS Config configuration changes](cloudwatch-controls.md#cloudwatch-9)
+ [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10)
+ [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11)
+ [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12)
+ [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13)
+ [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14)
+ [[CloudWatch.15] CloudWatch alarms should have specified actions configured](cloudwatch-controls.md#cloudwatch-15)
+ [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6)
+ [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10)
+ [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13)
+ [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16)
+ [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18)
+ [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19)
+ [[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20)
+ [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21)
+ [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51)
+ [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager](elb-controls.md#elb-2)
+ [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3)
+ [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration](elb-controls.md#elb-8)
+ [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1)
+ [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1)
+ [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2)
+ [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7)
+ [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8)
+ [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10)
+ [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11)
+ [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12)
+ [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13)
+ [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14)
+ [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15)
+ [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16)
+ [[IAM.18] Ensure a support role has been created to manage incidents with AWS Support](iam-controls.md#iam-18)
+ [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19)
+ [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21)
+ [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22)
+ [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2)
+ [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3)
+ [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5)
+ [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6)
+ [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5)
+ [[S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts](s3-controls.md#s3-6)
+ [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9)
+ [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11)
+ [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14)
+ [[S3.17] S3 general purpose buckets should be encrypted at rest with AWS KMS keys](s3-controls.md#s3-17)
+ [[SNS.1] SNS topics should be encrypted at-rest using AWS KMS](sns-controls.md#sns-1)
+ [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2)
+ [[WAF.12] AWS WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12)